Cloudflare SSL - Do You Use Or Not?

black3dynamite

@nashbrydges said in Cloudflare SSL - Do You Use Or Not?:

So I am going over a friend's setup today. He asked if I could make sure his setup was ok. Good for him to use Cloudflare for DNS but I noticed that he has setup SSL to "Full" even though he's using Let's Encrypt to secure his site. I've been turning that off for all of my domains on Cloudflare otherwise the cert that shows up in the browser is Cloudflare's and not his.

Am I missing something? I don't see a reason why I would use Cloudflare's SSL because I prefer that the visitor's browser indicates that the certificate is issued to my own domain.

I use Cloudflare SSL as well even though I'm using Let's Encrypt too.

scottalanmiller

I use both as well.

JaredBusch

You have to switch to DNS based auth for the LE certs if you are putting the traffic through CloudFlare or you need to disable cloudflare prior to the renew request.

At least that is how it was when LE went public. Haven't looked into CF since.

NashBrydges

@black3dynamite @scottalanmiller Is there any benefit in using CF's SSL? I only see this as confusing if users verefy the cert in their browser. Granted, that's likely a pretty rare thing but still. Any specific reason for using it vs not? You're using it just because it's there?

NashBrydges

@jaredbusch said in Cloudflare SSL - Do You Use Or Not?:

You have to switch to DNS based auth for the LE certs if you are putting the traffic through CloudFlare or you need to disable cloudflare prior to the renew request.

At least that is how it was when LE went public. Haven't looked into CF since.

Thanks @JaredBusch I'll watch for this the next time I'm registering a new domain. So far, I've been migrating existing ones to CF so haven't run into this on renewal.

dbeato

@jaredbusch said in Cloudflare SSL - Do You Use Or Not?:

You have to switch to DNS based auth for the LE certs if you are putting the traffic through CloudFlare or you need to disable cloudflare prior to the renew request.

At least that is how it was when LE went public. Haven't looked into CF since.

Yes, that is true. I went through this with Zimbra and LE which caused a lot of problems.

dbeato

@nashbrydges said in Cloudflare SSL - Do You Use Or Not?:

@black3dynamite @scottalanmiller Is there any benefit in using CF's SSL? I only see this as confusing if users verefy the cert in their browser. Granted, that's likely a pretty rare thing but still. Any specific reason for using it vs not? You're using it just because it's there?

It is a reverse proxy for you without the need of an additional Server, you can also host sub-domains with the same SSL, it is free but the SSL just needs to be renewed in CloudFlare.

black3dynamite

@nashbrydges said in Cloudflare SSL - Do You Use Or Not?:

@black3dynamite @scottalanmiller Is there any benefit in using CF's SSL? I only see this as confusing if users verefy the cert in their browser. Granted, that's likely a pretty rare thing but still. Any specific reason for using it vs not? You're using it just because it's there?

I use the non strict Full SSL because I have some self-signed certs.

JaredBusch

@black3dynamite said in Cloudflare SSL - Do You Use Or Not?:

@nashbrydges said in Cloudflare SSL - Do You Use Or Not?:

@black3dynamite @scottalanmiller Is there any benefit in using CF's SSL? I only see this as confusing if users verefy the cert in their browser. Granted, that's likely a pretty rare thing but still. Any specific reason for using it vs not? You're using it just because it's there?

I use the non strict Full SSL because I have some self-signed certs.

Same here.

NashBrydges

@black3dynamite said in Cloudflare SSL - Do You Use Or Not?:

@nashbrydges said in Cloudflare SSL - Do You Use Or Not?:

@black3dynamite @scottalanmiller Is there any benefit in using CF's SSL? I only see this as confusing if users verefy the cert in their browser. Granted, that's likely a pretty rare thing but still. Any specific reason for using it vs not? You're using it just because it's there?

I use the non strict Full SSL because I have some self-signed certs.

That would be a good use-case scenario. Thanks.

FATeknollogee

I use CF for DNS & as domain registrar.
My web hosting is done somewhere else.

I'm trying to use LE certs (at my web hoster) but the dns-01 validation is failing.

What am I doing wrong?

black3dynamite

@FATeknollogee said in Cloudflare SSL - Do You Use Or Not?:

dns-01

Not sure what that is but could this help?

Cloud Flare hook bash for dehydrated - DNS-01 Challenge Let's Encrypt
https://github.com/sineverba/cfhookbash

travisdh1

@FATeknollogee said in Cloudflare SSL - Do You Use Or Not?:

I use CF for DNS & as domain registrar.
My web hosting is done somewhere else.

I'm trying to use LE certs (at my web hoster) but the dns-01 validation is failing.

What am I doing wrong?

You'll need a cloudflare api key and the registered email in a file. Mine is in /root/.secrets/cloudlfare.ini, which has 2 lines

dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = your key

Then you can:

certbot2 certonly --dns-cloudflare-credentials /root/.secret/cloudflare.ini --renew-by-default -d domain.com -d subdomain.domain.com

You do have to list all domains and subdomains you want the cert to be valid for in the command. I have mine scripted to run once every day.

dbeato

@travisdh1 said in Cloudflare SSL - Do You Use Or Not?:

@FATeknollogee said in Cloudflare SSL - Do You Use Or Not?:

I use CF for DNS & as domain registrar.
My web hosting is done somewhere else.

I'm trying to use LE certs (at my web hoster) but the dns-01 validation is failing.

What am I doing wrong?

You'll need a cloudflare api key and the registered email in a file. Mine is in /root/.secrets/cloudlfare.ini, which has 2 lines

dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = your key

Then you can:

certbot2 certonly --dns-cloudflare-credentials /root/.secret/cloudflare.ini --renew-by-default -d domain.com -d subdomain.domain.com

You do have to list all domains and subdomains you want the cert to be valid for in the command. I have mine scripted to run once every day.

Yep, I have it that way for my home as I cannot get SSL since my ISP blocks port 80.

JaredBusch

I just don't wan tto take the time to convert everything. I have been using LE for so long...

black3dynamite

@JaredBusch said in Cloudflare SSL - Do You Use Or Not?:

I just don't wan tto take the time to convert everything. I have been using LE for so long...

Why would you have to convert? Is this a new way of getting certs now?

FATeknollogee

@dbeato @travisdh1
Are you guys doing this on a VPS or you have a self-hosted web server?

travisdh1

@FATeknollogee said in Cloudflare SSL - Do You Use Or Not?:

@dbeato @travisdh1
Are you guys doinf this on a VPS or you have a self-hosted web server?

Mine is a self hosted server with an nginx proxy handling all external traffic. Should work the same with a VPS when using cloudflare for DNS.

JaredBusch

@black3dynamite said in Cloudflare SSL - Do You Use Or Not?:

@JaredBusch said in Cloudflare SSL - Do You Use Or Not?:

I just don't wan tto take the time to convert everything. I have been using LE for so long...

Why would you have to convert? Is this a new way of getting certs now?

Yes. This would allow us to use CloudFlare again. When I first switched to LE, I had to manually disable CloudFlare (uncheck the orange cloud), wait a minute, then run the LE renew, then reenable CloudFlare.

Certbot eventually came out with a plugin that you could use the CloudFlare API to enable, and disable during the process. But, by then, I had already just disabled CloudFare proxying all my sites that use LE.

Now, with DNS verificaiton, I can turn everything back on and not even need the API to enable/disable. But I will need to take the time to set things back up again.

Baldwin_Cannon

In principle, the combination of both will be appropriate for better safety of the web site. Only along with the above, I also use other types of SSL such as there https://hostovita.pl/ssl/